Responsible Disclosure Policy
Last updated: 17 May 2026 | Effective immediately
We take the security of WebScanify seriously. If you have discovered a security vulnerability in our platform, we appreciate your help in responsibly disclosing it to us. We commit to working with you to understand and address confirmed issues promptly.
1. How to Report
Send your report by email to [email protected] with the subject line "Responsible Disclosure".
Please include as much of the following as possible:
- A clear description of the vulnerability and its potential impact.
- The affected URL(s), endpoint(s), or component(s).
- Step-by-step reproduction instructions.
- Any proof-of-concept code, screenshots, or request/response captures (redact any sensitive personal data).
- Your suggested severity assessment (Critical / High / Medium / Low).
- Your name or handle (for acknowledgement, if desired).
You may also reach us at [email protected] if the security address is unavailable.
2. Our Response Commitments
24 h
We will acknowledge receipt of your report within 24 hours on business days.
7 days
We will provide an initial triage assessment — confirming or disputing the finding — within 7 calendar days.
90 days
We aim to release a fix for confirmed vulnerabilities within 90 calendar days. If a fix cannot be issued in that window we will communicate progress and an updated timeline.
We will notify you when the fix is deployed, and credit you in our acknowledgements section (see below) unless you prefer anonymity.
3. What We Ask of You
To qualify for good-faith treatment under this policy, please:
- Do not access, modify, or exfiltrate data beyond what is necessary to demonstrate the vulnerability.
- Do not perform denial-of-service attacks, social engineering, physical attacks, or attacks on our infrastructure providers.
- Do not disclose the vulnerability publicly until we have had 90 days to address it, or we have mutually agreed to an earlier disclosure date.
- Do not scan or test systems that belong to WebScanify's users — only test the WebScanify platform itself (webscanify.com and its subdomains).
- Test only with accounts you own or have explicit permission to use.
- Stop testing immediately and notify us if you encounter live personal data of other users.
4. Safe Harbour
We will not pursue civil or criminal legal action against researchers who act in good faith in accordance with this policy. Good faith means:
- You discovered the vulnerability incidentally or through authorised testing on your own accounts.
- You reported it to us promptly and refrained from public disclosure until we fixed it or 90 days elapsed.
- You did not exploit the vulnerability beyond what was needed to confirm it.
- You complied with all other conditions in Section 3 above.
This safe harbour applies only to vulnerabilities reported under this policy and does not waive any legal rights we may have against malicious actors.
5. Out of Scope
The following are outside the scope of this policy:
- Denial-of-service or volumetric attacks.
- Clickjacking on pages without sensitive actions.
- Missing security headers where exploitation requires other preconditions not present.
- Vulnerabilities in third-party services, libraries, or infrastructure that we do not control.
- Reports generated by automated scanners without manual verification.
- Social engineering or phishing attacks against our staff or users.
- Physical security issues.
6. Rewards
WebScanify does not currently offer a formal bug bounty programme with monetary rewards. However, for valid, high-impact findings we may offer:
- Public acknowledgement in our hall of thanks (see below).
- A complimentary paid plan credit at our discretion.
We reserve the right to change or discontinue any rewards without notice.
7. Acknowledgements
We thank the following security researchers for their responsible disclosures:
No disclosures have been received yet. Be the first!
8. Policy Updates
We may update this policy from time to time. The "Last updated" date at the top of this page will reflect the most recent revision. Continued use of the service constitutes acceptance of the current policy.